mod_authnz_ldap and lookup

The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. This page describes how to use this module in conjunction with the lookup LDAP service and mod_ucam_webauth. These two Apache modules will allow you to restrict areas of your website to:

Compatibility

All these examples have been tested with Apache 2.4. The same directives should work with Apache 2.2 but this hasn't been tested.

Enabling modules

You need to enable the Apache modules authnz_ldap and ldap. You do this by adding suitable LoadModule directives to your Apache configuration, or by executing appropriate commands, such as (for Debian/Ubuntu/SLES systems):

The ldap module caches authentication and authorization results based on its configuration. Changes made to the backing LDAP server will not be immediately reflected on the HTTP Server. Consult the directives in mod_ldap for details of the cache tunables.

Security

Include the following Apache directive to make sure that all connections made by Apache to the LDAP server are secure.

LDAPTrustedMode TLS

For Debian/Ubuntu systems you can add this to /etc/apache2/mods-enabled/ldap.conf

Basic restrictions

You should use these directives in a protection block

Allow access only to members of any institution (InstID) on a list

The same directives can be used to check any other attribute of the user, not just instID, you will only need to replace the "instID=UIS" for whatever other attribute and value value you want to check that the user has.

DO NOT use displayName or many other Lookup attributes in an ldap-attribute check - displayName and many user attributes are user editable.

Allow access only member of group on a list

(where 101611=UIS staff and 101855=UIS test accounts). This works because groupIDs are an attribute of the user, just like any other attribute. Alternatively, the group short name may be used, e.g., groupName=uis-members.

More complex queries

More complex queries can be achieved using ldap-filter which accepts expressions. You can use AND, OR, regex expressions, etc on different attributes.